[Pidgin] #2216: Vulnerability in Pidgin 2.0.2 - remote authenticated to execute commands

Fri Jul 20 12:19:46 EDT 2007

#2216: Vulnerability in Pidgin 2.0.2 - remote authenticated to execute commands
--------------------+-------------------------------------------------------
Reporter:  pr0gm3r  |       Owner:  sadrul                          
    Type:  defect   |      Status:  new                             
Priority:  minor    |   Component:  finch (gnt/ncurses)             
 Version:  2.0.2    |    Keywords:  vulnerability, exploit, security
 Pending:  0        |  
--------------------+-------------------------------------------------------
 Vulnerability Summary CVE-2007-3841
 Original release date: 7/17/2007
 Last revised: 7/19/2007
 Source: US-CERT/NIST

 Overview

 Unspecified vulnerability in Pidgin (formerly Gaim) 2.0.2 for Linux allows
 remote authenticated users, who are listed in a users list, to execute
 certain commands via unspecified vectors, aka ZD-00000035. NOTE: this
 information is based upon a vague advisory by a vulnerability information
 sales organization that does not coordinate with vendors or release
 actionable advisories. A CVE has been assigned for tracking purposes, but
 duplicates with other CVEs are difficult to determine.

 Impact

 CVSS Severity (version 2.0):
 Base score: 9.0 (High)
 Impact Subscore: 10.0
 Exploitability Subscore: 8.0

 Range: Network exploitable
 Authentication: Required to exploit
 Impact Type: Provides administrator access, Allows complete
 confidentiality, integrity, and availability violation , Allows
 unauthorized disclosure of information , Allows disruption of service

 References to Advisories, Solutions, and Tools

 External Source: (disclaimer)

 Hyperlink: http://www.wslabi.com/wabisabilabi/initPublishedBid.do?

 External Source:  BID (disclaimer)

 Name: 24904

 Hyperlink: http://www.securityfocus.com/bid/24904

 Vulnerable software and versions

 Configuration 1
 −  Pidgin, Pidgin, 2.0.2, Linux

 Technical Details

 CVSS Base Score Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C) (legend)

 Vulnerability Type: Input Validation Error

 CVE Standard Vulnerability Entry:
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3841

 Common Platform Enumeration:
 http://nvd.nist.gov/cpe.cfm?cvename=CVE-2007-3841

-- 
Ticket URL: <http://developer.pidgin.im/ticket/2216>
Pidgin <http://pidgin.im>
Pidgin